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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1 . 1 14, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 1 1/30/2006 has been entered. 

Response to Arguments 

2. In response to communications filed on 1 1/30/2006, Applicant amends claims 1, 2, 5, 12, 
23, and 30. Applicant adds claims 39 and 43. The following claims 1-5, 7-14, 23-30, and 32-43 
are presented for examination. 

2.1 Applicant's arguments, pages 8-14, filed on 1 1/30/2006, with respect to the rejection of 
claims 1-5, 7-14, 23-30, and 32-38 have been fully considered but they are moot in view of a 
new ground of rejection. With respect to claim 1, claim 1 has been amended to more particularly 
point out Applicant's invention by adding that the request is from a central server. A new 
ground of rejection is set forth below to address this limitation. Applicant argues that Yavatkar 
does not mention intrusion detection at all. Examiner respectfully disagrees and some 
documents are provided to Applicant to show many different interpretations of the term 
"intrusion detection" as defined in the art. With respect to claim 30, Applicant argues that 
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Yavatkar does not disclose installing intrusion detection software on a plurality of remote 
computers. Examiner respectfully disagrees. Yavatkar discloses watchdog agents may be placed 
at multiple nodes (see column 14, lines 18-32); a watchdog agent installed on one node can 
create bloodhound agents in different nodes as it moves from node to node (see column 9, lines 
15-23 and column 14, lines 49-56); and agents can install other objects on network devices (see 
column 14, lines 10-17). Upon farther consideration, a new ground of rejection is set forth 
below. 

Claim Rejections - 35 USC § 112 

3. The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner 
and process of making and using it, in such full, clear, concise, and exact terms as to enable any 
person skilled in the art to which it pertains, or with which it is most nearly connected, to make 
and use the same and shall set forth the best mode contemplated by the inventor of carrying out 
his invention. 

3.1 Claim 1 and the intervening claims are rejected under 35 U.S.C. 112, first paragraph, as 
failing to comply with the written description requirement. The claim contains subject matter, 
which was not described in the specification in such a way as to reasonably convey to one skilled 
in the relevant art that the inventor(s), at the time the application was filed, had possession of the 
claimed invention. Examiner cannot find where in the disclosure a request is provided from a 
central server receiving at a software agent program to initiate intrusion detection services on a 
plurality of remote computers. It appears that the specification discloses that the server directs 
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agent to initiate services on the computer on which the agent is running (see for instance page 5, 
lines 10-15). 

Claim Rejections - 35 USC § 103 
4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the art to which said subject 
matter pertains. Patentability shall not be negatived by the manner in which the invention was 
made. 

Claims 30, 32-35, and 38 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
US Patent 6,735,702 to Yavatkar et al. 

As per claim 30, Yavatkar et al discloses a method for implementing an intrusion 
detection system in a network, comprising in one embodiment the watchdog agent receives 
notification from the bloodhound agent, (see column 16, lines 17-30; column 18, lines 31-40 and 
lines 49-55) that meets the recitation of receiving notification of a network intrusion; 

In response to the notification, the watchdog agent launches an agent or installing 
intermediate filters in the network (see column 18, lines 54-64) that meets the recitation of 
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transmitting an installation request in response to the notification for example (see column 1 8, 
lines 49-64) 

installing intermediate filters in the network (see column 18, lines 62-67) to combat 
attacks the present invention may find paths and take appropriate actions such as installing 
firewall entries at the appropriate devices to block such traffic (see column 14, lines 10-17) that 
meets the recitation of installing intrusion detection software on said remote computer via said 
software agent program in response to the request. Yavatkar et al even discloses a network 
may have with multiple gateways and when a particular gateway is identified for allowing traffic 
filter is installed on that particular gateway to halt traffic (see column 13, lines 54-58). As 
interpreted by the Examiner the several filters in the network may be installed in more than one 
device, since the attack is taken through different paths. Yavatkar et al further discloses when 
such a path is found appropriate action may be installing firewall entries at the appropriate 
devices to block traffic (see column 14, lines 10-17), which clearly meets the claimed limitation. 
In another embodiment, agents are being requested and deployed in notification of a network 
intrusion (see column 14, lines 18-28). Therefore, it would have been obvious to one of ordinary 
skill in the art at the time the invention was made to provide installation to more than one 
network device to secure many paths and prohibit traffic from many sources. 

As per claim 32, Yavatkar et al discloses deployed watchdog agents at multiple nodes 
at key points such as routers that meets the recitation of selecting said remote computers from a 
plurality of eligible computers (see column 14, lines 18-28). 
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As per claim 33, Yavatkar et al discloses resources to be accessed may be based on 
routing table that meets the recitation of said selecting step is accomplished based on a network 
map (see column 5, lines 21-36). 

As per claim 34, Yavatkar et al discloses the limitation of wherein said selecting step is 
accomplished based on a knowledge base (see column 5, lines 30-36 and column 10, lines 26- 
42). 

As per claim 35, Yavatkar et al discloses controlling method for querying for agents 
including to ensure integrity of agents they should be verified using a cryptographic 
authentication scheme that meets the limitation of wherein said request is verified using a 
cryptographic authentication scheme (see column 10, lines 43-52 and column 9, lines 52-67). 

As per claim 38, Yavatkar et al discloses wherein said stop condition is based on 
network traffic conditions (see column 18, lines 36-37,). 

5. Claims 1-4, 7-10, 13-14, 23-25, 27-29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over US Patent 6,735,702 to Yavatkar et al in view of US Patent 6,842,781 to 
Lavian et al. 

As per claim 1, Yavatkar et al discloses a method for implementing an intrusion 
detection system in a network, comprising receiving notification to initiate intrusion detection 
software as watchdog agents on a plurality of remote computers (see column 16, lines 17-30 and 
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column 14, lines 18-28) that meets the recitation of receiving a request at a software agent 
program to initiate intrusion detection services on a plurality of remote computers request may 
be issued by administrator or any monitoring software residing on any computer, wherein the 
request is issued in response to a notification of a network intrusion (see column 16, lines 17-30) 
that meets the recitation of wherein the request is issued in response to a notification of a 
network intrusions and discloses the launching of mobile agents on nodes which also can install 
code into the device (see column 14, lines 18-28) that meets the recitation of installing intrusion 
detection software on said remote computer via said software agent program, and executing 
other agents on the remote computers (see column 14, lines 49-63) that meets the recitation of 
executing said intrusion detection software on said remote computer via said software agent 
program, for example* (see page 165, first column and conclusion). See also embodiment in 
column 18, lines 32-55. Yavatkar et al is silent about the request is received from a server. 
Lavian et al in an analogous art teaches network and system for performing a network 
management by executing the network management application to a network device or agent for 
performing the task to reduce the processing load from a management server (see column 3, lines 
23-40). The method includes receiving request from the NMS server at an agent (see column 7, 
lines 43-59; and once the network device downloads and executes the application, the network 
device can perform management over other network devices (see column 7, line 65 through 
column 8, line 12) to initiate detection service on each of the computers or network devices 
executing the software agents (see column 7, lines 43-59; column 3, lines 22-27 and lines 47-50). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify Yavatkar et al to provide a server for sending request to a software agent to 
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access other remote devices because it would allow the agent to perform task at critical moment 
when attack is detected as suggested by Lavian et al (column 3, lines 22-50). 

As per claim 2, Yavatkar et al discloses proactive environment can exist on each of the 
multiple nodes and can create agents and enable mobile agents to start, suspend, stop, and 
destroy services (see column 5, lines 8-20) that meets the recitation of receiving a request to 
terminate intrusion detection services at said software agent program and as disclosed by Lavian 
et al manager server may control agents and requests them for performing tasks (see column 7, 
lines 43-50). 

As per claim 3 Yavatkar et al discloses the limitation of monitoring for fulfillment of a 
stop condition (see column 5, lines 8-20). 

As per claims 4 and 13, Yavatkar et al discloses wherein said stop condition is based 
on network traffic conditions (see column 18, lines 36-37/ 

As per claim 7, Yavatkar et al discloses deployed watchdog agents at multiple nodes at 
key points such as routers that meets the recitation of selecting said remote computers from a 
plurality of eligible computers (see column 14, lines 18-28). 
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As per claim 8, Yavatkar et al discloses resources to be accessed may be based on 
routing table that meets the recitation of said selecting step is accomplished based on a network 
map (page 162 and page 165, first column). 



As per claim 9, Yavatkar et al discloses the limitation of wherein said selecting step is 
accomplished based on a knowledge base (see column 5, lines 30-36 and column 10, lines 26- 
42). 



As per claims 10 and 14, Yavatkar et al discloses controlling method for querying for 
agents including to ensure integrity of agents they should be verified using a cryptographic 
authentication scheme that meets the limitation of wherein said request is verified using a 
cryptographic authentication scheme (see column 10, lines 43-52 and column 9, lines 52-67). 

As per claim 23, Yavatkar et al substantially discloses a system for detecting intrusions 
in a computer network comprising: a plurality of computers executing software agents (see 
column 8, lines 1 1-20); an intrusion detection server (see column 1, lines 21-25) any network 
device can be acted as an instruction server without departing from the spirit and scope of the 
invention disclosed by Yavatkar et al; and discloses an access control list with all the access 
rules (see column 10, lines 26-42) that meets the limitation of a database configured to store at 
least one rule defining at least one response to a network intrusion, wherein said intrusion 
detection server is configured to send a request to execute intrusion detection software to 
software agents at a plurality of computers (see column 14, lines 18-28) when intrusion detection 
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services are needed based on the at least one rule stored in said database (see column 10, lines 
26-52 and column 14, lines 44-48). Yavatkar et al is silent about the request is received from a 
server. Lavian et al in an analogous art teaches network and system for performing a network 
management by executing the network management application to a network device or agent for 
performing the task to reduce the processing load from a management server (see column 3, lines 
23-40) and also discloses a database to facilitate converting object oriented requests for MIB 
information into requests for network parameters (see column 5, lines 35-53); and a network 
table including a list of network addresses associated with network devices to assist in requests 
from the network management application (see column 6, lines 16-27). The method includes 
receiving request from the NMS server at an agent (see column 7, lines 43-59; and once the 
network device downloads and executes the application, the network device can perform 
management over other network devices (see column 7, line 65 through column 8, line 12) to 
initiate detection service on each of the computers or network devices executing the software 
agents (see column 7, lines 43-59; column 3, lines 22-27 and lines 47-50). Therefore, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made to 
modify Yavatkar et al to provide a server for sending request to a software agent to access other 
remote devices because it would allow the agent to perform task at critical moment when attack 
is detected as suggested by Lavian et al (column 3, lines 22-50). 



As per claim 24, Yavatkar et al discloses calling for more agents when network 
intrusion is detected that meets the recitation of wherein said intrusion detection server increases 
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the number of said plurality of computers executing intrusion detection software when a network 
intrusion is detected (see column 19, lines 14-20). 

As per claim 25, Yavatkar et al discloses the limitation of wherein said intrusion 
detection server changes the number of said plurality of computers executing intrusion detection 
software when the level of network traffic changes (see column 19, lines 14-20). 

As per claim 27, Yavatkar et al discloses the limitation of wherein said database 
contains information about the plurality of computers (see column 10, lines 26-42). 

As per claim 28, Yavatkar et al discloses the limitation of wherein said information 
includes a map of said computer network (see column 5, lines 21-36). 

As per claim 29 Yavatkar et al discloses the limitation of wherein said selecting step is 
accomplished based on a knowledge base (see column 5, lines 30-36 and column 10, lines 26- 
42). 

6. Claims 5, 11, 12, and 41-43 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over US Patent 6,735,702 to Yavatkar et al in view of US Patent 6,842,781 to Lavian et al as 
applied to claims 1-13 and 23 and further in view of US Patent Publication 2002/0003884 to 
Sprunk. 
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As per claims 11 and 41, Yavatkar et al discloses a proactive environment that allows 
agent to operate on one node, stop execution, and resume execution which could be broadly and 
reasonably interpreted by one of ordinary skill in the art as wherein said request includes a stop 
condition indicating when to stop executing the intrusion detection software program, for 
example (see column 5, lines 18-20). Yavatkar et al does not explicitly state that the stop 
condition applies to all eligible computers. Sprunk in an analogous art teaches a secure access 
system comprising an access control processor (ACP) for monitoring which application objects 
are executed in computer systems and to confirm their authorization and authenticity. Although 
the exemplary embodiment uses set top boxes, the invention is applicable to PC computers, 
which are susceptible to viruses, and hackers as disclosed in the background. Sprunk discloses 
that checkpoints are embedded in the applications on each system to trigger the ACP, and among 
the features of the ACP, the ACP can stop running applications if an error is detected or if 
authorization expires (see paragraph 54) and further discloses "Lifetime information allows the 
expiration of the authorization of the object to prevent use after a certain date and time", and 
authorization of a software object can be programmed to expire after a certain amount of time 
(see paragraphs 62 and 66) that meets the recitation of a stop condition indicating when to stop 
executing the intrusion detection software program and wherein the stop condition applies to all 
eligible computers. As interpreted by the Examiner, the execution of the software will stop on 
all computers with a date/time expiration status. Therefore, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the method as combined 
above to provide a way of monitoring wherein execution of the application can be stopped in the 
event that an unauthorized object is detected as suggested by Sprunk. One of ordinary skill in 
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the art would have been motivated to do so because it would provide an immediate action 
response based on what applications or objects are authorized to be executed on each computer 
system. 

As per claims 5 and 12, Yavatkar et al does not explicitly state that the stop condition 
is an expiration time. Sprunk in an analogous art teaches a secure access system comprising an 
access control processor (ACP) for monitoring which application objects are executed in a 
computer system and to confirm their authorization and authenticity. Although the exemplary 
embodiment uses set top boxes, the invention is applicable to PC computers, which are 
susceptible to viruses, and hackers as disclosed in the background. Sprunk discloses that 
checkpoints are embedded in the applications on each system to trigger the ACP, and among the 
features of the ACP, the ACP can stop running applications if an error is detected or if 
authorization expires (see paragraph 54) and further discloses "Lifetime information allows the 
expiration of the authorization of the object to prevent use after a certain date and time", and 
authorization of a software object can be programmed to expire after a certain amount of time 
(see paragraphs 62 and 66) that meets the recitation of wherein the stop condition is an expiration 
time. As interpreted by the Examiner, the execution of the software will stop on all computers 
with a date/time expiration status. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time the invention was made to modify the method as combined above to provide 
a way of monitoring wherein execution of the application can be stopped in the event that an 
unauthorized object is detected or when time is expired as suggested by Sprunk. One of 
ordinary skill in the art would have been motivated to do so because it would provide an 
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immediate action response based on which applications or objects are authorized to be executed 
on each computer system. 

As per claim 42, Sprunk discloses a monitoring process wherein checkpoints are 
embedded in the applications on each system to trigger the ACP, and among the features of the 
ACP, the ACP can stop running applications if an error is detected or if authorization expires 
(see paragraph 54) that meets the recitation of monitoring for fulfillment of a stop condition at 
each of the plurality of remote computers executing intrusion detection software (see paragraphs 
5, lines 18-20). Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the method as combined above to provide a way of 
monitoring wherein execution of the application can be stopped at each of the plurality of remote 
computers because it would allow the software to stop execution in the event that an 
unauthorized object is detected or when time is expired as suggested by Sprunk above. One of 
ordinary skill in the art would have been motivated to do so because it would provide an 
immediate action response based on which applications or objects are authorized to be executed 
on each computer system. 

As per claim 43, Sprunk discloses "Lifetime information allows the expiration of the 
authorization of the object to prevent use after a certain date and time", and authorization of a 
software object can be programmed to expire after a certain amount of time (see paragraphs 62 
and 66) that meets the recitation of wherein the stop condition for each of the plurality of 
computers is based on a time during which each of the plurality of remote computers has been 
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executing intrusion detection software (see paragraphs 5, lines 18-20). Therefore, it would have 
been obvious to one of ordinary skill in the art at the time the invention was made to modify the 
method as combined above to provide a way of monitoring wherein execution of the application 
can be stopped at each of the plurality of remote computers when executing intrusion detection 
software because it would allow the software to stop execution in the event that an unauthorized 
object is detected or when time is expired as suggested by Sprunk above. One of ordinary skill 
in the art would have been motivated to do so because it would provide an immediate action 
response based on which applications or objects are authorized to be executed on each computer 
system. 

7. Claims 36-37 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
6,735,702 to Yavatkar et al in view of US Patent Publication 2002/0003884 to Sprunk. 

As per claims 36 and 37, Yavatkar et ai discloses a proactive environment that allows 
agent to operate on one node, stop execution, and resume execution which could be broadly and 
reasonably interpreted by one of ordinary skill in the art as wherein said request includes a stop 
condition indicating when to stop executing the intrusion detection software program, for 
example (see column 5, lines 18-20). Yavatkar et al does not explicitly state that the stop 
condition is an expiration time. Sprunk in an analogous art teaches a secure access system 
comprising an access control processor (ACP) for monitoring which application objects are 
executed in a computer system and to confirm their authorization and authenticity. Although the 
exemplary embodiment uses set top boxes, the invention is applicable to PC computers, which 
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are susceptible to viruses, and hackers as disclosed in the background. Sprunk discloses that 
checkpoints are embedded in the applications on each system to trigger the ACP, and among the 
features of the ACP, the ACP can stop running applications if an error is detected or if 
authorization expires (see paragraph 54) and further discloses "Lifetime information allows the 
expiration of the authorization of the object to prevent use after a certain date and time", and 
authorization of a software object can be programmed to expire after a certain amount of time 
(see paragraphs 62 and 66) that meets the recitation of a stop condition indicating when to stop 
executing the intrusion detection software program and wherein the stop condition is an 
expiration time. As interpreted by the Examiner, the execution of the software will stop on all 
computers with a date/time expiration status. Therefore, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the method of Yavatkar et 
al to provide a way of monitoring wherein execution of the application can be stopped in the 
event that an unauthorized object is detected or when time is expired as suggested by Sprunk. 
One of ordinary skill in the art would have been motivated to do so because it would provide an 
immediate action response based on which applications or objects are authorized to be executed 
on each computer system. 

8. Claims 26 and 39-40 are rejected under 35 U.S.C. 103(a) as being unpatentable over US 
Patent 6,735,702 to Yavatkar et al in view of US Patent 6,842,781 to Lavian et al as applied to 
claims 1-13 and 23 and further in view of US Patent 6,401,238 to Brown et al. 
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As per claim 26, both references disclose the claimed system of claim 23. Neither of the 
references discloses an intrusion detection server changing the number of said plurality of 
computers executing intrusion detection software depending on the time of day. Brown et al in 
an analogous art teaches intelligent deploy of application to given machines in a network by a 
server based on criteria to reflect user needs and network environment (see column 1 5 lines 40- 
45). Brown et al further discloses determining which of a given set of users (client machines) 
have a given priority based on a user profile wherein the monitored condition is based on time of 
day (see column 8, lines 10-11 and 29-30 and abstract) that meets the recitation of an intrusion 
detection server changing the number of said plurality of computers executing intrusion detection 
software depending on the time of day. Therefore, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the method as combined 
above to include the step of changing the number of said plurality of computers executing 
intrusion detection software depending on the time of day as suggested by Brown et al. One of 
ordinary skill in the art would have recognized the advantage of providing an intelligent 
deployment of applications that controls the use of network bandwidth and network priorities as 
suggested by Brown et al (see column 1, lines 26 through column 2, line 25). 

As per claim 39, Brown et al discloses applications are initiated at a plurality of remote 
computers selected based on a number of platforms that are currently active as the server 
monitors current bandwidth utilization as a measure of traffic over a short period immediately 
preceding the call to the server that meets the recitation of wherein intrusion detection services 
axe initiated at a plurality of remote computers selected based on a number of platforms that are 
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currently active (see column 5, lines 40-47 and column 6, lines 39-47). Therefore claim 39 is 
rejected on the same rationale as the rejection of claim 26 above. 

As per claim 40, Brown et al discloses applications are initiated at a plurality of remote 
computers selected based on network usage to minimize congestion and predetermined rules that 
take into consideration high and low network usage (see column 6, lines 1-8 and 58-67 and 
column 1, lines 11-21 and fig. 4) that meets the recitation of wherein intrusion detection services 
axe initiated at a plurality of remote computers selected based on based on predetermined 
numbers of maximum and minimum limits on a number intrusion detection platforms (see 
column 5, lines 40-47 and column 6, lines 39-47). Therefore claim 40 is rejected on the same 
rationale as the rejection of claim 26 above. 

Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carl Colin whose telephone number is 571-272-3862. The 
examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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